Deakin Research Online
This is the published version:
Li, Bai and Batten, Lynn 2007, Using mobile agents to detect node compromise in path-based
DoS attacks on wireless sensor networks, in WICOM 2007 Proceedings of the International
Conference on Wireless Communications, Networking and Mobile Computing, Institute of
Electrical and Electronics Engineers (IEEE), Piscataway, N.J., pp. 2507-2510.
Available from Deakin Research Online:
http://hdl.handle.net/10536/DRO/DU:30007962
Reproduced with the kind permission of the copyright owner.
Copyright: 2007, Institute of Electrical and Electronics Engineers (IEEE).
Using Mobile Agents to Detect Node Compromise in Path-based DoS Attacks
on Wireless Sensor Networks
Bai Li
Deakin University
[email protected]
Lynn Batten
Deakin University
[email protected]
Abstract-Wireless sensor networks represent a new
generation of real-time embedded systems with
significantly different communication constraints from
the traditional networked systems. With their
development, a new attack called a path-based DoS
(PDoS) attack has appeared. In a PDoS attack, an
adversary, either inside or outside the network,
overwhelms sensor nodes by flooding a multi-hop endto-end communication path with either replayed packets
or injected spurious packets. In this article, we propose a
solution using mobile agents which can detect PDoS
attacks easily.
Keywords-Denial of Service Attack, Detection, Sensor
Networks
I. INTRODUCTION
The path-based DoS attack was first described in detail
and named by Deng et. al. in [4]. They pointed out that a
PDoS attack, by exhausting the batteries of several nodes,
has the potential to disable a much wider region than simply
a single path due to the standard tree structure topology of a
WSN. WSNs tend to be unstable and have limited resource
capacity and so are vulnerable to DoS attacks.
Figure 1 shows how PDoS attacks work. A standard
PDoS attack begins with the compromise of member nodes
and aggregator nodes which are then used to flood the
intermediate and sink nodes with packets along the routing
paths. The resulting excessive power consumption can lead
to a quick death of a WSN because the nodes are unable to
return to sleep mode in order to conserve power.
Few authors have tackled the problem of PDoS attacks on
a WSN. In this paper, we introduce a novel method of using
mobile agents in the WSN which permit us to detect these
attacks. To our knowledge, the only application of mobile
agents in sensor networks to appear in the literature is in the
paper of Tong [8], but these are not used for of attack.
Our methods are described in detail in sections 2 and 3. In
section 4, we evaluate the usefulness of our techniques and
in section 5, describe work which remains for future papers.
Figure 1. PDoS in WSNs
II. WORKING MODEL
We assume the WSN has a tree-structure topology, a
single base station and four types of nodes as shown in
Figure 2. A description of the node and base station
functions can be found in [6].
We add a mobile agent (MA) to the WSN (several may be
added in a large system) and assume that there is no
restriction on its computing power.
The work of [8] demonstrates that mobile agents (MAs)
are very useful in WSNs because of their ability to reduce
network load, encapsulate protocols and are robust and
fault-tolerant. We assume that the base station and MA are
trusted and can never be compromised by attackers.
In order to distinguish between nodes which have been
compromised and those which have not, we need to
introduce a labeling for each node. We base this labeling on
3-dimensional co-ordinates in space [7], which can be
obtained by geographical location using triangulation. For
example, a node whose coordinates are 59°Latitude,
29°Longitude and height 2 metres has ID 59:29:2. We
assume that nodes cannot be positioned in the same
geographical location.
1-4244-1312-5/07/$25.00 © 2007 IEEE
Authorized licensed use limited to: DEAKIN UNIVERSITY LIBRARY. Downloaded on May 27, 2009 at 01:17 from IEEE Xplore. Restrictions apply.
2507
Figure 2. Tree Structure of a WSN
III. DETECTION
Several methods for detecting DoS attacks in general
networks have been proposed.
More recently, en-route filtering schemes have been
proposed for intermediate nodes to filter false data generated
by malicious aggregator nodes as well as to detect intruders
engaged in what we have termed PDoS attacks [9] [10]. The
basic idea is that the intermediate nodes share some keys
with the member nodes in a node group or cluster. Member
nodes generate MACs for the reported data using the shared
keys, and intermediate nodes can verify the MACs before
forwarding packets. In the SEF scheme proposed by Ye et.
al., the Bloom filter [9] is used to reduce the size of MACs
and ensure their security. The intermediate nodes and
member nodes use randomly pre-distributed keys to
generate and verify MACs. In this scheme, it is highly likely
that the false data will be dropped by one of the intermediate
nodes and will not reach the base station. However, there
are several problems with the SEF scheme. First, SEF uses a
probabilistic approach. It cannot guarantee that every
spurious packet will be filtered out on the path. In addition
statistically, a spurious packet will be forwarded for a
certain number of nodes before it is filtered out. Second, the
message overhead of SEF is still large. The size of the
Bloom filter is 14 bytes long, which is about half of the data
payload of a TinyOS packet.
Jing et. al. [4] developed a method of using one-way hash
chains to protect end-to-end communications in WSNs
against PDoS attacks. It prevents PDoS attacks from the
intermediate nodes or from outside sources capable of
launching PDoS attacks, since an adversary cannot generate
the next valid OHC number, while replayed old OHC
numbers will be dropped. Second, the memory and
computational costs of OHC execution are quite lightweight.
Third, this scheme tolerates packet losses. But there are also
some obvious disadvantages. One of them is it cannot
constrain PDoS attacks by the compromised nodes in
WSNs, especially the nodes which store the hash function.
All of the work using MACS results in high local
computing costs and subsequent death of nodes. The interleaved key scheme has extremely high communication
overhead. We therefore adapt the low cost one-way hash
chain idea of Jing et. al., but efficiently employ a mobile
agent to detect if the sender of the hash has been
compromised.
Our detection solution includes a one-way hash chain, a
traffic control algorithm, detection of node compromise and
node failure and a voting algorithm. We choose the one-way
hash chain as it has low computational requirements and is
easy to deploy [4]. The one-way hash chain is used to detect
any compromised node except for source nodes. We use a
traffic control algorithm to detect the misbehavior of source
nodes since the adversary could compromise them to access
the one-way hash function. We also use message
broadcasting from the MA to distinguish between node
failure and node compromise, because node failure which is
a technical problem rather than an attack could generate
higher traffic flow in a local area or along some paths.
Finally, a voting algorithm is used to decide whether
suspicious nodes have been compromised based on the votes
from their neighbour nodes.
A. TRAFFIC CONTROL ALGORITHM
When one node wants to send packets to its neighbour
nodes, not only will it include a hash function value, but also
it includes its node ID in order to let the MA recognize the
source of packets and record them into a traffic table. In
Table 1, for each 5 second interval, the number of packets
passing through the corresponding node is given in the
column. If the traffic in each interval is normal, that is,
below a certain given threshold W, the MA will simply
delete the contents of the table and refresh it for the next
time-frame. If the traffic of certain nodes in the table is
abnormal (i.e. is above W), the MA will take further steps to
tell whether the node has failed or been compromised.
TABLE I
NUMBER OF PACKETS FOR A GIVEN NODE IN
SEVERAL TIME INTERVALS
Node ID
0-5
5101520-25
secs
10secs
15secs
20secs
secs
21:34:1
22
43
72
32
45
22:35:0
13
65
37
99
24
24:30:2
87
55
32
40
14
The algorithm below detects abnormal traffic by choosing
a threshold W and counting the number of times the traffic
through a specific node exceeds W in a fixed table. If this
1-4244-1312-5/07/$25.00 © 2007 IEEE
Authorized licensed use limited to: DEAKIN UNIVERSITY LIBRARY. Downloaded on May 27, 2009 at 01:17 from IEEE Xplore. Restrictions apply.
2508
occurs more than say w times, the MA then considers the
node to be compromised or failed, but cannot tell which.
(The values of w and W can be set initially and adjusted
using experimental information over time.) Let T be the
number of intervals in the table and P(i,j) be the table entry in
row i and column j. The following is the pseudo code:
PROCEDURE PDoSDetectionofNode_i
Set m=0
While (j = 0; j ++; j <= T) // wait for timeout and
start next interval check
Case (P(i,j) ≤ W)
// normal state
End PROCEDURE
Case (P(i,j) > W) // probably abnormal state
m = m + 1 // accumulate the warning times for
that node
If (m ≥ w) // enter abnormal state
PROCEDURE
NodeFailureDetection
//used to detect node failure
End If
End Case
End While
End PROCEDURE
the system. We base our voting algorithm on this fact: if
node A receives the same message from node B and the
MA, node A will vote that node B is not compromised and
send back this voting result along with both IDs to the MA.
When the MA has received a certain number of votes
against a node, the MA will decide that node has been
compromised. The MA now takes steps to recover the
compromised node. Figure 3 shows how voting algorithm
for node compromise works.
The procedure for Node Failure Detection is described in
the next section.
B. DETECTION FOR NODE FAILURE
Both node compromise and node failure can lead to
abnormal traffic flow during a short period or in a localized
area of a WSN. So we have to eliminate the node failure
condition in order to make our Traffic Control algorithm
work well. When the MA goes into PROCEDURE
NodeFailureDetection, it will simply broadcast a check
message to all the nodes in the WSN. The MA counts the
number of acknowledgment (ACK) packets received and
compares with the number of nodes which do not reply, in
order to determine the failed nodes. Responding nodes
include their IDs and this allows the MA to determine the
IDs of the non-responding nodes. The MA concludes that all
non-responding nodes have failed and reports this to a
technical support team.
Figure 3. Message sending between nodes and the MA
We can assume that the WSN has sufficient nodes to
make such a voting algorithm reliable. On the other hand, in
very large-scale WSNs, there could be thousands of nodes,
in which case several MAs could be applied in order to
implement the detection algorithm. One advantage of using
MAs is that they can provide seamless technology to a very
big network. So there are no problems in deploying more of
them into WSNs.
In addition, node compromise is a fairly slow process, as
mentioned in [2] when detection methods are in place. Thus
it is unlikely, that at any given time, more than half the
nodes would be compromised.
C. VOTING ALGORITHM FOR NODE COMPROMISE
In this section, we now determine which of the nodes that
did respond to the MA message are in fact compromised. To
do this, we use the MA to broadcast a new random message
at random times to all the responding nodes exhibiting
abnormal traffic patterns. When these nodes receive this
message, they will try to send the same message to their
neighbor nodes. However, as described in the well-known
Byzantine Generals Problem [5], compromised nodes will
attempt to transmit conflicting information to other parts of
IV. EVALUATION
For our simulation model we generate 50 nodes in a
200x200m square area. The radio transmission range is 40
meters and the data rate of the wireless link is 2Mbps. The
data traffic is generated by constant bit rate with an
interarrival time of 25ms. For each node there are two
transmission queues, one for control packets and one for
data packets. The control queue is used for control packets
such as route requests and it always has higher priority than
the data queue. We also set up a timer if a packet has not
1-4244-1312-5/07/$25.00 © 2007 IEEE
Authorized licensed use limited to: DEAKIN UNIVERSITY LIBRARY. Downloaded on May 27, 2009 at 01:17 from IEEE Xplore. Restrictions apply.
2509
reached the destination in 10 seconds. The packet length for
data packets is 10kbits with 500 bits for the header message.
The queue length for data packets is 50 for all nodes. The
timer which is used to resend the message if there is no
reply
is
set
to
50
ms.
Figure 5 compares the time to detect attacks between our
method, the en-route filtering method and the SEF method.
We measure the detection time in seconds and the attack
rate in SYN/sec.
As indicated, our method is significantly better than the
others when the attack rate is between 17 SYN/sec and 28
SYN/sec.
V. CONCLUSIONS AND FUTURE WORK
We have presented a new detection method for node
compromise in PDoS attacks in a WSN and evaluated our
results, based on small WSNs, including comparison with
other work. Our work demonstrates the efficiency of our
detection methods in comparison with existing methods
when only a few nodes have been compromised.
In future work, we will implement these methods in largescale WSNs. We will also use mobile agents to develop
response and recovery methods in PDoS attacks
REFERENCE
Detection under Defferent Attack Rate
[1]
1200
1100
1000
Time to Detect (sec)
900
800
700
En-route filting
600
SEF
500
Our Method
[2]
400
300
200
[3]
100
0
12
14
16
18
20
22
24
26
28
30
Attack Rate (SYN packets/sec)
Figure 5. Detection Time under Different Attack Rate
[4]
As indicated, our method is significantly better than the
others when the attack rate is between 16 SYN/sec and 28
SYN/sec. For large attack rates, we can see it spends less
time to detect it.
[5]
Energy Comparison on Detection
600
[6]
Energy Consumption (mA)
500
400
En-route filting
300
SEF
Out method
[7]
Stewart J. 2001, Calculus, 2rd, Brooks/Cloe Ltd, 2001
[8]
Tong L., Zhao Q., and Adireddy S., “Sensor
networks with mobile agents,” in Proc. 2003
Military Communications Int Symp., Boston, MA,
Oct. 2003, pp. 688–693.
Ye F., Luo H., Lu S., and Zhang L., "Statistical enroute detection and filtering of injected false data in
sensor networks. In IEEE INFOCOM 2004.
200
100
0
12
14
16
18
20
22
24
26
28
30
[9]
Attack Ra te (SYN packe ts/sec)
Figure 6. Energy Comparison on Detection
Figure 6 shows the energy comparison between each
detection method. We can see our method cost less energy
on detect the attacks.
Bagrodia R., Meyer R., Takai M., Chen Y., Zeng, J.
Martin X., and Song Y., “PARSEC: A Parallel
Simulation Environment for Complex Systems”,
IEEE Computer, vol. 31, no. 10, Oct. 1998.
Becher A., Benenson Z., and Dornseif M.,
“Tampering with motes: Real-world physical
attacks on wireless sensor networks,” In 3rd
International Conference on Scurity in Pervasive
Computing (SPC), April 2006.
Chuang C. and Gerla M., “Routing and multicast in
multihop, mobile wireless networks”, ICUPC ’97,
p.546-51 v01.2, Oct. 1997.
Deng, J., Han, R., and Mishra, S., 2005,
“Defending against path-based DoS attacks in
wireless sensor networks”, In Proceedings of the
3rd ACM Workshop on Security of Ad Hoc and
Sensor Networks (Alexandria, VA, USA,
November 07 - 07, 2005). SASN '05. ACM Press,
New York, NY, 89-96.
Lamport, L., Shostak, R., and Pease, M., 1982, The
Byzantine Generals Problem. ACM Trans.
Program. Lang. Syst. 4, 3 (Jul. 1982), 382-401.
Rahim I., “a Fault-tolerant Routing Algorithm for
Wireless
Sensor
networks”,
undergraduate.csse.uwa.edu.au, Oct. 2006.
[10]
Zhu S., Setia S., Jajodia S., and Ning P., An
interleaved hop-by-hop authentication scheme for
filtering of injected false data in sensor networks.
In 2004 IEEE Symposium on Security and Privacy,
Oakland, CA, USA, May 2004.
1-4244-1312-5/07/$25.00 © 2007 IEEE
Authorized licensed use limited to: DEAKIN UNIVERSITY LIBRARY. Downloaded on May 27, 2009 at 01:17 from IEEE Xplore. Restrictions apply.
2510